In a blistering report, the inspector general's office in the Department of Veterans Affairs said a series of missteps led to theft of hardware containing data on millions of veterans and held up response after the fact.

The report, published Tuesday, blames agency officials for acting "with indifference and little sense of urgency" after the loss of the computer hardware in a house robbery. This, in part, caused the department's slow response to the breach. The theft occurred on May 3, but the secretary of Veterans Affairs was not notified until May 16, and Congress and veterans did not hear of it until May 22. (Download a PDF of the report.)

The laptop and an external hard disk drive, which actually contained sensitive information on about 26 million veterans, were recovered on June 28. The FBI and the Department of Veterans Affairs determined with a high degree of confidence that the data on the external drive was not compromised.

Veterans Affairs employees at all levels get a scathing review in the report, as do the agency's practices. Investigators found a "patchwork of policies," none of which adequately safeguarded information at the department. Furthermore, no rule barred the storing of information on personal hardware and taking it from the worksite.

Still, the data analyst who took the data home to work on a personal project "used extremely poor judgment" and was not authorized to take the data, the report said. After his house was burglarized and the hardware stolen, he did, however, quickly report the theft, including the fact that there was sensitive data on the drive, the report said.

Following the notification, the department dragged its feet over its response, which was inadequate, according to the report. The notification was mired in bureaucracy and even some infighting at the department, with people passing it from one desk to another, the report said.

"At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating or notifying higher level officials of the data loss reacted with indifference and little sense of urgency or responsibility," according to the report.

For example, upon receiving notification of the theft, the department's deputy assistant secretary for policy, Michael McLendon, decided to rewrite it, stating it was inadequate, according to the report. In fact, the investigators found that McLendon wanted to rewrite it to falsely downplay the risk of the misuse of the stolen data. The data could be read without special software, contrary to McLendon's assertion, investigators found.

The unnamed data analyst took the data home to work on a "fascination project" to test the accuracy of a 2001 survey of veterans. He has reportedly been fired, but is fighting his termination. McLendon and Dennis Duffy, the acting head of the division the analyst worked in, have reportedly resigned or have been put on administrative leave.

Nothing surprises me about this situation. It's more <a class="jive-link-external" href="http://www.techknowcafe.com/content/view/551/43/" target="_newWindow">http://www.techknowcafe.com/content/view/551/43/</a>incredible that people have any faith in these government branches at all.

Nothing surprises me about this situation. It's more <a class="jive-link-external" href="http://www.techknowcafe.com/content/view/551/43/" target="_newWindow">http://www.techknowcafe.com/content/view/551/43/</a>incredible that people have any faith in these government branches at all.

This only reinforces the argument to downsize the federal government, as well as growing local and state governments. Moreover, these bureaucrats don't know s**t from shinola, much less best practices in computer and physical security.

Government agencies like the VA need to be as accountable as say Government asks the private sector to be <a class="jive-link-external" href="http://www.iwantmyess.com/?p=79" target="_newWindow">http://www.iwantmyess.com/?p=79</a>

Would a hospital who leaked ALL of its patient info still be in business without significant reprocussions?

This only reinforces the argument to downsize the federal government, as well as growing local and state governments. Moreover, these bureaucrats don't know s**t from shinola, much less best practices in computer and physical security.

Government agencies like the VA need to be as accountable as say Government asks the private sector to be <a class="jive-link-external" href="http://www.iwantmyess.com/?p=79" target="_newWindow">http://www.iwantmyess.com/?p=79</a>

Would a hospital who leaked ALL of its patient info still be in business without significant reprocussions?

Same way they tell the rest of the lies that are the stock-in-trade of all bureaucrats and politicians. We unhappy few know how full-of-it they are, but the vast baa-ing flocks will swallow it wholesale and vote the bastards back in.

Same way they tell the rest of the lies that are the stock-in-trade of all bureaucrats and politicians. We unhappy few know how full-of-it they are, but the vast baa-ing flocks will swallow it wholesale and vote the bastards back in.

Eventually I hope our government makes it a criminal offense to copy a database of private data onto a laptop. These databases need to be secured in a central vault that can only be accessed a) while in the building and b) with serious security clearance.

For those who want to conduct statistical analysis or other innocuous tests, a subset of the complete database that does not include personal information should be made available to employees. NO ONE needs SS numbers to conduct statistical experiments, as this guy was doing.

Exactly! I agree...people as well as computers nowadays are gathering more information than they need about us and then irresponsibly placing that information into huge unsecured and even mobile devices to maximize opportunity for theft. Not only should they make it a criminal offense, companies AND our government should start taking some security measures themselves to show some action.

People should be educated about the different ways they are vulnerable <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article1.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article1.htm</a> and also learn how to protect themselves against such vulnerabilities. <a class="jive-link-external" href="http://www.essentialsecurity.com/products.htm" target="_newWindow">http://www.essentialsecurity.com/products.htm</a>

Eventually I hope our government makes it a criminal offense to copy a database of private data onto a laptop. These databases need to be secured in a central vault that can only be accessed a) while in the building and b) with serious security clearance.

For those who want to conduct statistical analysis or other innocuous tests, a subset of the complete database that does not include personal information should be made available to employees. NO ONE needs SS numbers to conduct statistical experiments, as this guy was doing.

Exactly! I agree...people as well as computers nowadays are gathering more information than they need about us and then irresponsibly placing that information into huge unsecured and even mobile devices to maximize opportunity for theft. Not only should they make it a criminal offense, companies AND our government should start taking some security measures themselves to show some action.

People should be educated about the different ways they are vulnerable <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article1.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article1.htm</a> and also learn how to protect themselves against such vulnerabilities. <a class="jive-link-external" href="http://www.essentialsecurity.com/products.htm" target="_newWindow">http://www.essentialsecurity.com/products.htm</a>

With the height of the illegal immigration debate occuring and the government granting amnesty to illegal aliens for fraudulently using ssn's I wouldn't be surprised if LaRaza, Mecha or a hundred other groups have our ssn's and are giving them to illegal aliens to expedite their legalization compliments of the defacto Mexican government in DC. They will sell out even veterans to pander to their illegal alien brothers and sisters.

With the height of the illegal immigration debate occuring and the government granting amnesty to illegal aliens for fraudulently using ssn's I wouldn't be surprised if LaRaza, Mecha or a hundred other groups have our ssn's and are giving them to illegal aliens to expedite their legalization compliments of the defacto Mexican government in DC. They will sell out even veterans to pander to their illegal alien brothers and sisters.

The big point here is that this incident is a catalyst for proving the necessity for protecting mobile information, be it on a laptop, USB device or email. Data in transit is always at risk of being intercepted and stolen, and if that is important to you, then you and your agency/company must be proactice in protection valuable information. Easy solution are available and often free to try, like Taceo. <a class="jive-link-external" href="http://www.essentialsecurity.com/products.htm" target="_newWindow">http://www.essentialsecurity.com/products.htm</a>

The big point here is that this incident is a catalyst for proving the necessity for protecting mobile information, be it on a laptop, USB device or email. Data in transit is always at risk of being intercepted and stolen, and if that is important to you, then you and your agency/company must be proactice in protection valuable information. Easy solution are available and often free to try, like Taceo. <a class="jive-link-external" href="http://www.essentialsecurity.com/products.htm" target="_newWindow">http://www.essentialsecurity.com/products.htm</a>

Anyone noticed the repeated mantra of "accessed" and "compromised" when referring to the data on recovered pc's/laptops?? That's because the authorities can't say the data wasn't forensically copied to another device for analysis at the thief's leisure. Meanwhile, John/Jane Doe are given a completely false sense of security!! The VA then revoked the free credit monitoring offer.

Anyone noticed the repeated mantra of "accessed" and "compromised" when referring to the data on recovered pc's/laptops?? That's because the authorities can't say the data wasn't forensically copied to another device for analysis at the thief's leisure. Meanwhile, John/Jane Doe are given a completely false sense of security!! The VA then revoked the free credit monitoring offer.

Has anyone considered that somebody 'high up' on the political food chain wanted the information without leaving a 'paper trai' to them? Knowing the whereabouts of every able-bodied ex-GI would be of great knowledge to someone who anticipates a situation of martial law in the not-to-distant future. The coincidence that this worker just happened to take the data home and just happened to have his computer stolen is a little more than simply far-fetched. It's ludicrous.If we put all the pieces in place, the wire-tapping, the attempted take-over (not decided yet?) of each State's National Guard, the Federal ID, the preservation of Internment Camps, the Fence on the Mexican border (us in or them out), the requisite passport to leave or enter (try getting one lately), the Shadow Budget (how much is being spent inside America?), and the promise of bigger future attacks, all spell disaster on the horizon. It's as if these people in our current Administration know something we don't and are preparing to NOT have to step out of office in 08. It is interesting that pulonium 210 is commonly used as a trigger for nuclear weapons, among other things. Is something coming? Do they have advance warning? What is really going on? Should we open our eyes or continue to play video games.?

Has anyone considered that somebody 'high up' on the political food chain wanted the information without leaving a 'paper trai' to them? Knowing the whereabouts of every able-bodied ex-GI would be of great knowledge to someone who anticipates a situation of martial law in the not-to-distant future. The coincidence that this worker just happened to take the data home and just happened to have his computer stolen is a little more than simply far-fetched. It's ludicrous.If we put all the pieces in place, the wire-tapping, the attempted take-over (not decided yet?) of each State's National Guard, the Federal ID, the preservation of Internment Camps, the Fence on the Mexican border (us in or them out), the requisite passport to leave or enter (try getting one lately), the Shadow Budget (how much is being spent inside America?), and the promise of bigger future attacks, all spell disaster on the horizon. It's as if these people in our current Administration know something we don't and are preparing to NOT have to step out of office in 08. It is interesting that pulonium 210 is commonly used as a trigger for nuclear weapons, among other things. Is something coming? Do they have advance warning? What is really going on? Should we open our eyes or continue to play video games.?

Report offensive content:

If you believe this comment is offensive or violates the CNET's Site Terms of Use, you can report it below (this will not automatically remove the comment). Once reported, our staff will be notified and the comment will be reviewed.

E-mail this comment to a friend.

E-mail this to:

Note: Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipients's address will be used for any other purpose.